Firms could improve their operational efficiency by adopting distributed ledger technology ("DLT") – also known as blockchain – but the technology also poses the risk of money laundering abuse and may be in conflict with Hong Kong's data protection rules, a new paper has found.

A white paper commissioned by the Hong Kong Monetary Authority ("HKMA") and released late last week found that DLT had great potential if the risks associated were properly addressed. High on the list of potential issues was the handling of personal data and its legal and compliance implications.

As a distributed ledger technology network is based on a number of decentralized nodes that are updated simultaneously, it becomes much more difficult to ensure that a customer's personal data is properly stored, kept no longer than necessary, and used only for the purpose for which it is collected, the paper said.

The paper, which looked into the application of DLT to mortgage loan applications, trade finance and digital identification management, said the technology could be used for money laundering purposes and the anonymous transfer of assets if adequate money laundering controls were not in place, such as know your customer ("KYC") rules and transaction monitoring controls. It also highlighted a number of other risks, including network attacks and identity theft issues.

"Traditional cyber security issues still apply to DLT, including denial of access attacks and other cyber attacks," said Norman Chan, the chief executive of the HKMA.

Apart from intentional misconduct, the legal and compliance aspect could pose the most significant challenge to a successful implementation of DLT in Hong Kong, the regulator warned.

"The decentralised model may pose challenges for constructing an effective governance structure and oversight mechanism," Chan said. "Some legal issues have yet to be thoroughly examined, such as the application and enforceability of laws for the cross-border DLT models, mechanisms for handling liability and dispute resolution if there is no centralised party administrating the DLT platform, and compliance with personal data protection principles in relation to data sharing and perpetual storage."

The paper also highlighted that little has been done so far to align DLT with current compliance and regulatory requirements. It said regulatory authorities had not issued much in the way of regulatory guidance or control principles.

"In addition, the decentralised and cross-border nature of certain proposed DLT platforms makes the regulatory issues even more complicated," the report noted. "This leads to questions about which activities should be regulated, how activities should be regulated, and by whom they should be regulated. Although it might seem most straightforward if regulators were simply to adopt a traditional regulatory approach (given their technology neutral stance), it remains unclear whether some of the key risks and legal issues associated with DLT set out in this white paper can be adequately dealt with using such an approach."

Chan said a second white paper, planned for the second half of 2017, would further address the regulatory implications of DLT and the general control principles for DLT for the banking and payment industry.

Fintech Moves

The white paper was commissioned by the HKMA as part of its effort to help build Hong Kong as a regional fintech hub. The regulator has previously launched a number of other fintech initiatives to aid this effort, including the Cybersecurity Fortification Initiative, which was announced in May this year.

Chan said the initiative had been making good progress and that an industry consultation on the Cybersecurity Resilience Assessment Programme was completed in August with positive responses from the banking sector. He said the HKMA was finalising the programme and would announce the detailed framework in December for implementation by banks in Hong Kong.

Furthermore, Chan said the Cybersecurity Intelligence Sharing Platform would be in operation and available to the banking sector in December, as planned. In addition, a training and certification programme for cyber security professionals would also be rolled out in December, he said.

With regard to the HKMA's other major fintech initiative, the regulatory sandbox, Chan said two banks have so far made use of the sandbox to conduct pilot trials of their biometric authentication and securities trading services.

"A few banks are discussing with us and planning to make use of the sandbox for conducting their project trials in the coming few months, in areas such as blockchain, artificial intelligence and many more," he said.